[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Rdo-list] Fwd: RDO with Red Hat IDM



On 05/30/2013 08:04 PM, Adam Young wrote:
On 05/30/2013 05:58 PM, Dave Neary wrote:
Hi Adam,

Can you have a look at this post on rdo-list and see if you can figure
out what's going wrong, please?

Thanks!
Dave.



-------- Original Message --------
Subject: [Rdo-list] RDO with Red Hat IDM
Date: Thu, 30 May 2013 17:13:59 -0400
From: Michael Solberg <msolberg redhat com>
To: rdo-list redhat com

Hi list.

I've spent a day or two now trying to use Red Hat IDM as a backing store
for Keystone in RDO and I'm about to pull my hair out.

I started with Adam Young's blog post here:
http://adam.younglogic.com/2012/02/freeipa-keystone-ldap/

Then I watched his Summit video here:
http://www.openstack.org/summit/portland-2013/session-videos/presentation/securing-openstack-with-freeipa


Then I tried to follow this document:
http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-keystone-for-ldap-backend.html


I definitely ran into the domain_id problem described here:
https://lists.launchpad.net/openstack/msg23387.html

I also ran into the issue around the RFC 4519 schema not allowing a
"enabled" attribute.  I think I've mitigated this by setting the
"attribute_ignore" settings in keystone.conf.

I've tried tackling the architecture from a few different directions and
I've gotten to the point where I can create roles, create tenants, and
list users in my IDM domain, but not assign roles to users.  I think
this is because I'm trying to separate out the tenants and roles from
the users in the directory tree.  I don't mind keystone creating objects
in it's own tree, but I don't want it updating user accounts from IDM.

So,  you have put projects into their own subtree?  Can the LDAP user
from Keystone modify that tree?

Yes - for right now, I'm just using the cn=Directory Manager account. I figured I'd work on the ACLs once I got the mappings correct. All of my issues so far have been around Keystone trying to create or read objects in the tree that don't conform to the standard directory types that we ship in IDM (groupOfNames, posixaccount, etc). That's why I was curious if someone had a working configuration that I could look at. It looks like we've documented using AD upstream, but not IDM.

I think what I want is something like this:

user_tree_dn = cn=users,cn=accounts,dc=atl,dc=salab,dc=redhat,dc=com
user_objectclass = person
user_domain_id_attribute = businessCategory
user_id_attribute = uid
user_name_attribute = uid
user_mail_attribute = email
user_pass_attribute = userPassword
user_attribute_ignore = enabled
user_allow_create = False
user_allow_update = False
user_allow_delete = False
(This is the IDM-managed list of users)

tenant_tree_dn = ou=tenants,cn=openstack,dc=atl,dc=salab,dc=redhat,dc=com
tenant_attribute_ignore = enabled
(This is the Keystone-managed list of tenants)

role_tree_dn = ou=roles,cn=openstack,dc=atl,dc=salab,dc=redhat,dc=com
role_attribute_ignore = enabled
(This is the Keystone-managed list of roles)

I would think you would want to make user that has ACLs set up
permitting them to make modifications to that tree, but not to add
users.  Configure Keystone to use that user to talk to LDAP.

Yep. Once I figure out what a working configuration looks like, I was going to go down the that road.

Michael.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]